Scheduled Dynamic Updates in an HA Environment

Scheduled Dynamic Updates in an HA Environment

64527
Created On 09/26/18 13:50 PM - Last Modified 06/13/23 04:36 AM


Resolution


Issue

When "sync-to peer" is enabled for dynamic updates (Application and Threats or Antivirus) scheduled to occur at the same time on both nodes of an HA cluster, the downloaded image may fail to copy to the peer.

Resolution

"Sync-to-peer" is intended when the HA secondary has no path to the Internet from the management interface. In this scenario, the secondary device must have the primary device push the dynamic updates to it. (The secondary may have no active interfaces on the dataplane in the passive mode.)

If configuring "sync-to-peer" on both nodes, make sure not to schedule the update process at the same time on both HA nodes. The copying process may fail because both nodes attempt to copy to each other.  In rare cases, this failure may cause unexpected behavior such as an HA1 link flap.  For stable updates, the best practice is to stagger the time with a sufficient gap (try 30 minutes) for scheduled updates on both devices enabled with "sync-to-peer."

owner:  yogihara
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clrn&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language